Berlin
Jumpstart Your Hybrid Cloud
EnvironmentPhilipp Behre
Objectives
• Define hybrid infrastructure integration
• Showcase examples of hybrid implementation
patterns
• Discuss common hybrid infrastructure workloads
Amazon VPCVPNBackup & archive Storage
expansion
Common workloads in hybrid infrastructure
What is hybrid infrastructure?
Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise integration
FederationOperations monitoring
Start
A path to the cloud
Corporate Data
Center
Expand your data center to the cloud
What do we mean by a “hybrid integration”?
On-premises resources
Data center
Cloud services
Cloud infrastructure
Workload Migration
and integration
Enterprise
management tools
Access/authentication
control integration
Connectivity
Identifying What Needs To Be Done
We examine each of
these perspectives with
you to identify the
goals, implications,
and specifically what
needs to be addressed
A path to the cloud
Amazon VPCVPNBackup & archive Storage
expansion
Common workloads in hybrid infrastructure
What is hybrid infrastructure?
Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise integration
FederationOperations monitoring
Start
VPC subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
VirtualGateway
AWS Virtual Private Network (IPSec VPN)
o IPSec hardware VPN connection
Supported VPN appliances:
https://aws.amazon.com/vpc/faqs/#C9
o Encryption and Validation
o Private RFC 1918 Addressing
o Uses Border Gateway Protocol (BGP)
for routing and fail-over
o VPN Service provides managed
redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/
VPC_VPN.html
Corporate data center
Users
Data center router
Servers
Internet
IPSec VPN
AWS Direct Connect
o Requires Layer 2 single mode fiber
1000BASE-LX or 10GBASE-LR
o Requires 802.1Q VLANs across
connection.
Tagging of IP traffic
o Routing uses BGP A/A or A/P
multipath.
o Each DX is mapped to a single AWS
Region
http://aws.amazon.com/directconnect/
Corporate data center
Users
VPC subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
Data center router
Customer router
Servers
AWS Direct Connectlocation
AWS Direct Connect routers
VirtualGateway
VPC Subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
AWS Direct Connect + AWS VPN
o Dedicated network path with assured
bandwidth
o More secure than Internet-based IPSec
VPN – avoids internet traverse
o Reduced IPSec network transfer costs
o Additional Network Security
http://aws.amazon.com/directconnect/
Corporate data center
Users
Data center router
Customer Router
Servers
IPSec VPN
AWS Direct Connectlocation
AWS Direct Connect routers
VirtualGateway
Amazon VPCVPNBackup & archive Storage
expansion
Common workloads in hybrid infrastructure
What is hybrid infrastructure?
Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise integration
FederationOperations monitoring
Start
A path to the cloud
Active Directory and LDAP
o Reduced back-reach Traffic
o Reduced Latency for Authentication
o Additional Resiliency
o Enablement of both:
Multi-Master Read/Write Domain
Controllers
Read-only Domain Controllers
(RODCs)
Requires IPSec VPN or Direct Connect
connectivityhttp://aws.amazon.com/microsoft/whitepapers/ad-reference-
architecture/
Active Directory Replication
Corporate data center
Users
AD.Domain
Servers
Domain controller
Domain controller
VPC subnet
Availability Zone
Security group
VirtualGateway
Domain controller
VPC subnet
Availability Zone
Security groupType Port Number
TCP54, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 5722, 49152-65535
UDP53,67,123, 138, 389, 445, 464, 2535, 5355, 49152-65535
Replication
AWS Directory Service
o Deploys in two modes
Directory Service Connect
Simple AD - built on Samba 4 Active
Directory compatible server
o Simplifies IAM Federation
Avoids complexity and cost of hosting
SAML-based federation infrastructure
Acts as a proxy - no data is stored on
AWS infrastructure
Supports existing RADIUS-based MFA
Requires IPSec VPN or Direct Connect
connectivityhttp://aws.amazon.com/directoryservice/
AWS Directory ServiceConnect
Corporate data centerUsers
AD.Domain
Servers
Domain controller
VPC subnet
Availability Zone
Security group
VirtualGateway
VPC subnet
Availability Zone
Security group
AWS federation/account governance
Financial users, controllers SOC/AuditorsGlobal AWS admin
Billing account
Software development
Non-prodaccount #1
Production account #1
User managementaccount
Security / Auditaccount
Non-prodaccount. #2
App ownersDevOps teams
Security/auditProductionDev/test/sandboxFinancial
Consolidated Billing, Billing Alerts
Read-only access for all accounts
Operations Monitoring
o Security Monitoring integration
points with with CloudTrail and
SIEM Aggregator.
o Logging with CloudTrail and
SNMP MIBs to SIEM Aggregator.
o Platform and App Health to SIEM
Aggregator via agent on EC2
guest.
o Access to Patching and Updates
for AMI by on-premise Update
Server. VPC subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
VirtualGateway
Corporate data center
Users
Data center router
UpdateServers
Connectivity
AWS CloudTrail
Amazon CloudWatch
SIEMAggregator
Amazon VPCVPNBackup & archive Storage
expansion
Common workloads in hybrid infrastructure
What is hybrid infrastructure?
Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise integration
FederationOperations monitoring
Start
A path to the cloud
Backup and archiving
o Backup gateways integrated with Amazon S3
o Leverage Amazon S3 archival to Amazon Glacier
o Take advantage of current investments and
solutions for options like
o De-duplication
o Compression
o WAN Acceleration
Corporate data center
Amazon Simple Storage Service (S3)
Amazon Glacier
Applicationserver
Virtualserver
Fileserver
Databaseserver
Backupsystem
AWS Storage Gateway
iSCSI
Symantec Net Backup
Veeam Backup & Replication
Cloud ONTAP Secure Cloud-
Integrated Backup
AWS Marketplace Partners
Storage expansion
o Virtual volumes presented to local network
iSCSI, NFS and CIFS volumes
o Local disk cache to provide fast on-premise
access
o Gateway side encryption for security
Corporate data center
Amazon Simple Storage Service
Applicationserver
Virtualserver
Fileserver
Databaseserver
Storageappliance
AWS Storage Gateway
iSCSI
Cloud ONTAP Secure Cloud-
Integrated Backup
Panzura Global NAS
TwinStrata CloudArray
AWS Marketplace Partners
Amazon VPCVPNBackup & archive Storage
expansion
Common workloads in hybrid infrastructure
What is hybrid infrastructure?
Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise integration
FederationOperations monitoring
Start
A path to the cloudone more
excursion
An integrated approach to gain transparency
changechange
publishService
Catalog
notifies
Monitor
ChangeMonitors AWS
& application
initiates
notifies
Monitor Alert
monitors
Secures audit data
Captures all API
interaction
Capture
Audit
Logs
Durable
Storage
template
Create/Update
Validate
provision
IT Admin
Resource
stack
Select & provision
Project teams
An integrated approach to gain transparency
AWS
ServiceCatalog
publish
AWS CloudTrail
Amazon S3
monitors
Secures audit data
Captures all API
interaction
AWS
CloudWatchalarm
Monitors AWS
& application
initiates
notifies
AWS Config
Catalog
(resources & changes)
notifies
changechange
template
Create/Update
Validate
provision
IT Admin
Resource
stack
Select & provision
Project teams
Takeaway – (some) Services For Hybrid IT
• On premiseAWS
Integrated
Networking
Integrated
Identity
Integrated
Managemen
t
Deployment Backups
Amazon
Virtual Private
Cloud
AWS Direct
Connect
AWS
Directory
Service
Identity
Federation
vCenter &
System Center
Plugins
AWS Config
AWS CloudTrail
AWS
OpsWorks
AWS
CodeDeploy
AWS
Storage
Gateway
Takeaways
• Connectivity is a key to a successful hybrid
integration between cloud and corporate data center
• Authentication and Authorization is the corner stone
of Enterprise Integration
• Hybrid infrastructure enables a variety of hybrid
workload implementations
Recommended
